I’m looking for staff : Security, Governance, Risk and Compliance

Posted on September 01, 2012

Six more positions are available in the Enterprise Information Security Management team at Transnet, within the IT Security, Governance, Risk and Compliance competency areas.

We have a lot of challenging but interesting work ahead of us. If you want to learn a lot, apply what you have learned, be part of a hard working and performing team, then please apply :)

  • ICT Continuity Compliance Manager
  • IT Risk and Compliance Manager
  • Information Security Subject Matter Expert
  • Information Security Analyst (SME) x 2
  • Senior Security Analyst (inc Forensic & Incident)

These positions are all based in the Johannesburg CBD (Carlton Centre) and are manager or senior consultant level positions.

External applicants must apply by submitting CVs electronically to recruitment@transnet.net by 16h00 on 07 September 2012. Any questions regarding the positions should be sent to linneth.mpete@transnet.net.

Further details for each of the positions can be found here :http://lnkd.in/gyy9FR  (Google Plus)

We urge all our employees, clients, members of the public and our suppliers to report any kind of fraud or corruption at Transnet. Call the hotline toll free number: 0800 003 056 or email Transnet@tip-offs.com

Security and Ethics presentation UKZN MBA Class 2012

Posted on August 19, 2012

Friday night (17 August 2012) I had the privilege presenting to the University of KwaZulu Natal 2012 MBA Class on information security. Given it was a Friday night the attendance was relatively small but it was good to see that the majority of the class stayed for the 2 hours we had together. Some interesting and insightful questions was raised and discussed. It is good to see people “get it”.

The presentation is attached for those who are interested. Get it here: security and ethics 2012 UKZN MBA Aug 2012 (updated)

Update 2012/09/12 : Apologies, the previous PDF was corrupted somehow. It has been re-uploaded and checked.  

Focusing on People vs Technology in INFOSEC : Additional thoughts

Posted on July 22, 2012

This evening I came across this rather post on Trustedsec.com titled “Focusing on People vs Technology in INFOSEC” and it struck home. Everything in there I agree with. I would suggest you go and read it (link here).

I don’t want to plagiarise huge sections of the article, but am quoting fair bits of it below to introduce my own thoughts on the matter. To summarise (and paraphrase):

  • Organisations seem happier to invest in technology, such as security products, rather than in people
  • Organisations tend to have higher capital expenditure budgets rather than operational (direct expenditure)
  • There is generally a lack of people and programmes to support security technology implementations
  • There needs to be a much greater focus on people, without the right people product implementations fail

The author then goes on suggest eight steps to consider when building a security programme. These are repeated verbatim below :

  1. Focus on culture and having a fun environment for your people to work.
  2. Sending the team to security conferences and additional training events.
  3. Have a clear and concise roadmap for your team and an understanding of career advancement.
  4. Focus on building security programs first before ever investing in technology — use technology for automation.
  5. Work on automating and streamlining processes versus adding additional work on broken ones.
  6. Staff appropriately and fight for additional headcount where it is needed. Be careful on over hiring.
  7. Take time out of your day to focus on people and seeing how they are doing and if there is anything you can do.
  8. Communication. Communication. Communication… Did we say Communication?

I agree with all of the above. There are organisations who want to hire experienced people who can come straight in and do the job, who have all the experience and qualifications, but then don’t want to send them on training or want them to learn new skills. I find this to be a very short-sighted view. One of the hardest parts of setting up and running an effective information security team is finding and retaining the high calibre staff which will make it successful.

What will attract the right kinds of people? A learning environment. One where they can come in, be part of a team, have fun, learn new skills, share existing skills and knowledge while making use of these skills and taking themselves to the next level. I have always found that by encouraging people in your team, across all levels, to study, to take on new challenges and to better themselves boosts the confidence and productivity of all. I see a lot of debate around whether CISSP or CISM is the better qualification, or sometimes whether they have any value at all. That is largely irrelevant in my view. I would (and have) encourage my staff to do either. Going through the process helps the inexperienced learn new skills, and gives recognition to those who already have the skills. This is good for self-confidence and career prospects, either in the organisation or outside.

I have also found that by focussing on people and teaming, people will develop loyalty, both to you as a manager and mentor, as well as to the organisation. You are more likely to retain these people longer, and reap the rewards from the investment that has been made, despite the fears that once qualified they will leave. When you have a great learning environment then people will also be attracted to come and work with and for you. Half the battle is then won.

All the grand plans in the world will come to nothing unless you have people who will work with you, support you and enable those plans to come to fruition. There are going to be times when a lot of hard work is required, but, hard work towards a known goal, where you are learning, having fun and being productive doesn’t always feel like hard work, and staff will give of their extraordinary efforts willingly. At the same time, don’t take them for granted. Small gestures can go a long way.

In all of this, technology is also important. Not so much the technology you end up implementing, but the technology you make available to the staff to experiment, play and learn with. While (mostly) any tool can get the job done, key is making sure that you know those tools intimately. When they are in production it is hard (and dangerous) to play with them, however, having a lab environment with the right hardware, software and connectivity gives the freedom for people to learn and become the best they can be. This also keeps the job fresh and rewarding. Don’t forget this when preparing the budget – even though it may appear to be an unnecessary luxury. Be prepared to debate around and defend this portion of the budget just as much as your capex, salaries and training.

@dave_rel1k (I am assuming you wrote the piece), thanks for sharing, and reinforcing for me the important aspects to focus on when building an information security team who can transform the organisation.

Cyber Defence and Network Security Africa : Cloud-based Scanning

Posted on July 16, 2012

I am speaking tomorrow (17 July 2012) at the Cyber-Defence and Network Security Africa conference (www.cyberdefenceafrica.com) at the Crowne Plaza in Rosebank.

Time : 12:15 Cloud-based scanning: A case study from Transnet

  • The need for a supplemental, cloud-based scanning solutions
  • Cloud based scanning: how it works, the benefits, and limitations
  • Implementation challenges and lessons learnt at Transnet

Download a copy of the presentation here : Cloud scanning

Then later in the day I will be participating in a panel discussion with the esteemed Barry Irwin and Kabuthia Riunge. Details of this listed below, should be an interesting 45m.

16:00 Panel discussion: Cyber threats over the horizon and the future of information security

  • The current threats, and how these are likely to evolve over the medium term
  • State and non-state actors and the threats each poses
  • Preparing for cyberwar—what can (and what should) the private sector do
  • The future of cybercrime


  • Barry Irwin, Senior Lecturer, Rhodes University
  • Justin Williams, Principal Specialist: Information Security, Transnet
  • Kabuthia Riunge, Senior Information Security Officer, Central Bank of Kenya

Your twitter account has been hacked? How to fix this (and avoid it happening again)

Posted on July 01, 2012

My Twitter account was “hacked” a number of months back, and the accounts of a number of people I follow have been hacked on a fairly regular basis since. This is unfortunately a regular occurrence and spammers are increasing their efforts to get access to people’s accounts to spam their followers.

How do you know if someone you are following has been “hacked”? 

You will in all likelihood get a direct message from someone you follow which will be a generic message (but interesting or tempting one) which will have an embedded link to a site. Links these days are mostly shortened so you won’t immediately be able to see the final destination site. Clicking on it could be compromising your account and / or delivering up malware to your PC which your Antivirus software may or may not detect. So avoid clicking these.

Common messages that are coming up recently as direct messages include :

  • Twitter might start to charge in July, sign this petition to keep the service free! (link removed)
  • Hi, this user is saying really bad rumors about you … (link removed)
  • Hi some person is saying really bad things about you … (link removed)
  • Hi somebody is posting horrible rumors about you … (link removed)
  • Hey someone is saying nasty things about you… (link removed)
  • Various messages about weight loss or other obvious spam

How do you know if you have been “hacked”?

Your followers will send you messages pretty quickly to tell you, or they will be asking you why you are sending them strange messages (like the ones above). Don’t ignore these or react negatively, thank them for the warning and get on with fixing the problem before more of you followers are spammed and / or compromised.

What to do when you have been “hacked” ?

  1. Change your password.
    • Choose something decent, not a real language word, chuck in some numbers or special characters, and don’t think you are smart by using l33t sp3@k (leet speak).
    • Ra35!!me would be good, whereas P@ssw0rd would be bad.
  2.   Check to see what applications are “authorised” against your account. This can be used to keep sending SPAM even after you have changed your password.
    • Log in to your Twitter account on the web and open up your account settings.
    • Click on the Apps tab in the left-hand menu.
    • Read down through the list of applications to see that you know about them and trust them
    • If unsure of an application, revoke its access. You can always approve it again later.
  3. Check that if you associated your mobile number with your twitter account you have set up a PIN
    • Log in to your Twitter account on the web and open up your account settings.
    • Click on the Mobile tab in the left-hand menu.
    • Choose a PIN if you don’t have one (mix of 4 numbers and letters)
    • Go to the bottom of the page and click Save changes.
    • If your PIN is OK you will see a confirmation message.
  4. Apologise to your followers. Send them here if they have been “hacked”. Shortlink : http://j-j.co.za/twithack
  5. Be vigilant

 How did you get hacked?

You may have clicked on one of the direct message links as per the examples above, or you may have received an interesting tweet or link to :

  • Sign a petition to stop twitter becoming a pay service
  • Save the Rhino, the Dolphins or the World
  • Anything else that looked interesting

If you do inadvertently click on a link, in some cases the URL shortening service (eg. bit.ly) will pop up a warning where they have determined the link to be dangerous. Consider this your guardian angel, say thanks and close the window.

If unlucky, you will end up on the page the attackers want you to. The most recent two I investigated put me on a page on tvvitiler.com which was a copy of the twitter login page with a timeout message asking me to log in again. If you are unfortunate enough to do so, that’s you toast, proceed to the fix section below :) The sites hosting these fake login pages vary from post to post and are more often than not themselves hacked, with the unlucky owners unaware of what is happening.

Chances are therefore that some website or app somewhere conned you into giving your credentials to Twitter or the app/site so that it could post something on your behalf. It may well be something that you wanted posted, however, it then piggybacks off that to send a whole lot of unwanted stuff. Just be aware, and vigilant, and followup quickly when something happens.

With information security, knowing how to react and clean up is just as important as prevention. It is not a matter of if, but of when your account will be compromised.

Thanks to :

  • Mandy Wilson (@Mandywilson_SA)
  • Samantha (@MetroGalZN)

If you have further comments and insight please leave it in the comments here or tweet me (@jjza). Please share this information (http://j-j.co.za/twithack)

P.S. To those infosec folks reading this, apologies for my very liberal use of the word “hack”

High volume banking spam purporting to be from FNB

Posted on June 28, 2012

I have received High volume banking spam purporting to be from FNB for the last number of days. The only difference between these messages is the embedded link. Most are just URLs, some though have an x-apple-MSG-load in them.

Message and links below.

From : FNB (ibt@onlinedata.co.za)
Subject : Return on Charges

You are hereby notified that FNB is giving back all accumulated fees on taxable income that have been carried out over a period of one year. This is as a result of the new regulation imposed on banks by SARS. Please note that you have to follow the instructions below to the latter in other to ensure the funds is remitted into your account .

If you have an account with us, Kindly click here now.

© 2012 FirstRand Bank Limited.
An Authorised Financial Services and Credit Provider (NCRCP20). All rights reserved.

I have received 10+ of these a day for the last week or more. I have removed the link from the above so it isn’t live. In the mails the link varies between a number of sites some of which are listed below:
http://sushilcheema.com/charge_deposit_fnb_paid2/index dot php
http://sushilcheema.com/charge_deposit_fnb_pays/index dot php
http://istudymedia.com/charge_deposit_fnb_paid4/index dot php
http://digitalarborist.com/charge_deposit_fnb_pays/index dot php
http://createemailcampaigns.com/charge_deposit_fnb_payee/index dot php

Has anybody else been flooded with these?

ISACA 2012 conference happening from 10-12 September 2012, registrations open soon

Posted on June 17, 2012

The ISACA South Africa 2012 conference is happening from the 10-12 September. Diarise the dates, get those purchase requisitions in. If you are wanting to present at the conference then mail Nadine (admin@isaca.org.za) – the speaker lineup is being finalised shortly so hurry up to make sure you don’t miss out.

The conference is being held at the Wanderer’s Club in Illovo. It’s right next door to the Protea hotel if you need accommodation, and is also served by the Gautrain and their buses, with a bus stopping right outside the hotel gates.

Hope to see you all there.

Security Summit 2012 presentations now available

Posted on May 24, 2012

The IT Web Security Summit is the premier security event on the South Africa security conference calendar. IT Web has kindly made the presentations and recordings of the presentations available on their website. If you missed out or are simply looking for a re-cap of the great material, take a wander over to the ITWeb site and catch up.

This was one of the first security events that I have seen dedicate a presentation track to ERP/SAP Security. Check out the presentations by :

  • Juan Pablo Perez Etchegoyen Cyber-Attacks on SAP & ERP systems: Is Our Business-Critical Infrastructure
  • Chris John Riley SAP (in)security: Scrubbing SAP clean with SOAP
  • Ian de Villiers Systems Applications Proxy Pwnage
  • Marinus Van Aswegen Securing SAP

Link to IT Web Security Summit Downloads

The painful process of recovering from an Identity Theft

Posted on May 20, 2012

The last while has been a painful hassle filled experience. It seems that somebody (or bodies) stole my identity and opened accounts at Truworths and Identity in my name. They bought goods for thousands of rands, and of course never paid any of it back.

Then the phone calls and SMSs start, and they go on an on and on. They start by asking me for my personal information (which I refuse to give) and then proceed to tell me I owe this money, which I refute. They don’t listen to what I am saying, seem not to record it on whatever system they use to keep track of calls, and just keep calling and SMSing. I am on the stubborn side, so when these people tell me what I have to do, (go to police station, make affidavits, send copies of ID and proof of this and that) I simply say no, I have no contract with you, haven’t done any of this so I am not doing your bidding. Perhaps a less than sensible approach, I’m not sure. Perhaps if the call centre agents did more this could be avoided.

This all came to a head a few weeks ago, I tried to take out a new cell phone contract and was then told that my request had been declined. I must call TransUnion ITC. This I then did and ended up with a less than satisfactory experience. The whole thing had now snowballed and I was listed for :

  • Debt owing to Truworths
  • Debt owing to Identity
  • A trace alert for some debt collection agent (acting on behalf of one of the above) who could not get hold of me (i.e. I refused to call them back in response to SMS’s sent to me) – the cheek of it!

On many calls to TransUnion ITC I found out that this is all governed by the National Credit Act. TransUnion representative love to say that they operate in terms of this legislation and I must do X or Y in terms of it. However, once I had downloaded it and read it, and seen what my rights were in terms of the Act and how they were supposed to behave, then I found that the representatives of TransUnion ITC actually hadn’t read the act in their recent past, didn’t know the Act and couldn’t tell me why they hadn’t behaved in terms of the act.

I also discovered that their supervisors take an awful lot of loo breaks, smoke breaks and generally over the course of a Saturday morning/afternoon are never available when they should be, and that despite promised to have them call back they just don’t. Really bad customer service. Makes me wonder whether a) the call agents were covering for dudes who aren’t at work or b) the supervisors don’t know how to deal with customers who ask awkward questions so just don’t call back and then have the call agents lie to customers when asked. Either way a pretty unsatisfactory situation.

Download yourself a copy of the National Credit Act of 2005 here. You can also visit the site of the National Credit Regulator (NCR) here.

Some key extracts here :

62. Right to reasons for credit being refused

62. (1) On request from a consumer, a credit provider must advise that consumer in writing of the dominant reason for- (a) refusing to enter into a credit agreement with that consumer;
(2) When responding to a request in terms of subsection ( l ) , a credit provider who has based its decision on an adverse credit report received from a credit bureau must advise the consumer in writing of the name, address and other contact particulars of that credit bureau.

All credit to Makro here, they provided me with immediate verbal feedback on the fact that my credit had been rejected on the basis of an adverse report from TransUnion ITC, and even gave me the (wrong) phone number for them. They tried to be very helpful. Any credit provider rejecting you has to tell you why, if they won’t, insist on it.

66. Protection of consumer credit rights

66. (1) A credit provider must not, in response to a consumer exercising, asserting or seeking to uphold any right set out in this Act or in a credit agreement –
(a) discriminate directly or indirectly against the consumer, compared to the credit provider’s treatment of any other consumer who has not exercised, asserted or sought to uphold such a right;
(b) penalise the consumer;

This one is interesting. I have yet to go back to a credit provider after having filed all the documentation so haven’t yet had a need to do this. The consultant at TransUnion ITC did advise me however that I shouldn’t bother trying to take out a contract while a dispute was underway, as although the law says it can’t be held against me, I won’t be given credit. Mmmm, more on this later.

70. Credit bureau information

70(2) A registered credit bureau must-

(a) accept the filing of consumer credit information from any credit provider on payment of the credit bureau’s filing fee, if any;
(b) accept without charge the filing of consumer credit information from the consumer concerned for the purpose of correcting or challenging information otherwise held by that credit bureau concerning that consumer;
(c) take reasonable steps to verify the accuracy of any consumer credit information reported to it;
(i) not knowingly or negligently provide a report to any person containing inaccurate information.

Point (c) above says that TransUnion should take reasonable steps to verify the accuracy of information reported to it. When I asked them what they had done to verify information, they said they had done nothing. Since the info was provided by “reputable” companies they don’t check anything. I’m pretty sure that this is not in accordance with the letter or spirit of (c) above. Further, now that I have lodged a complaint against the false information against my name, if they provide any incorrect information to another credit provider then I am pretty sure they will be acting contrary to clause (i) above too.

72. Right to access and challenge credit records and information

72. (1) Every person has a right to-
(a) be advised by a credit provider within the prescribed time before any prescribed adverse information concerning the person is reported by it to a credit bureau, and to receive a copy of that information upon request;
(c) challenge the accuracy of any information concerning that person-
(i) that is the subject of a proposed report contemplated in paragraph (a); or
(ii) that is held by the credit bureau or national credit register, as the case may be, and require the credit bureau or National Credit Regulator, as the case may be, to investigate the accuracy of any challenged information, without charge to the consumer; and
(d) be compensated by any person who reported incorrect information to a registered credit bureau or to the National Credit Register for the cost of correcting that information.

(3) If a person has challenged the accuracy of information proposed to be reported to a credit bureau or to the national credit register, or held by a credit bureau or the national credit register, the credit provider, credit bureau or national credit register, as the case may be, must take reasonable steps to seek evidence in support of the challenged information, and within the prescribed time after the filing of the challenge must-
(a) provide a copy of any such credible evidence to the person who filed the challenge, or
(b) remove the information, and all record of it, from its files, if it is unable to find credible evidence in support of the information, subject to subsection (6).

(5) A credit bureau or the National Credit Register may not report information that is challenged until the challenge has been resolved in terms of subsection (3)(a) or (b)

Section 72(1)(a) says the credit providers are supposed to notify me that they are blacklisting me and give me a copy of the information. They never did this. Perhaps they sent it to the fraudulent person, however, I don’t live at that fake address. I own a house, the details of which would be on my credit record since I still have a bond on it. Surely they can put two and two together. Seems they couldn’t be bothered. Either skip that step, or do enough to cover themselves without actually doing what is intended.

In terms of the above, I had to lodge a challenge (c), which I did. TransUnion required copies of my ID, Proof of address, three copies of my signature, and an affidavit from the local police station stating that I did not incur the debt. I did all of these, still waiting for the 20 working day period to receive confirmation that it has now been removed. In this 20 days it will be up to Truworths and Identity to provide evidence to the contrary. Let’s see how this plays out.

Section (5) above is also interesting. In terms of this, TransUnion can’t report any of the challenged information until such time as the challenge is resolved. Great, since I am challenging the adverse reports on my credit record, my record must then be clean, right? Wrong, or so it seems. Despite the clause above the friendly consultant happily told me about the “get out of jail free” mechanism that the credit bureau’s and credit providers have dreamed up. So, since the bureau can’t tell the provider about the issues under dispute, they simply “block” the whole account by telling the provider it has been “flagged” as dispute. What? Yep, that’s right. Since I have challenged the false information against me, my credit record is now flagged in such a way that I can’t get credit. Seems pretty damned unfair to me. Other than being against the spirit of section (5) above, it also seems to be against Section 66(1)(b) which said that I shouldn’t be penalised for exercising my rights in terms of the Act.

After lodging all my documentation, it took TransUnion a couple of days to process the documentation faxed through. So much for being able to apply again the next day. I received a confirmation SMS that the “trace” against me had been removed. Though I neglected to say above that it took a 15m argument with a call centre agent and a discussion with their supervisor, pointing out the clauses above, and again pointing out that I had the right to dispute anything on my record, and they had a duty to check the accuracy of information, before they would agree to remove the trace.

When I get time (probably next weekend) I will try and apply again for credit. Partly because I am trying to get rid of Vodacom as a service provider (see earlier posts) and partly because I am curious to see if TransUnion ITC are actually blatantly breaking the law as their call centre agents seem to be implying.

I am interested in hearing from others who may have had similar experienced. Just how widespread is this? And what has your experience been with both the credit providers and TransUnion ITC?

P.S. I am still waiting for that supervisor to call back 2 weeks later. That’s a terribly long toilet break, perhaps somebody should be sending a search and rescue team, he must be pretty constipated in there.

P.P.S. I am not a lawyer. I have listened to people from various service providers and read the law (quoted above), which seems to be more than I can say for them. They may well have a whole bunch of lawyers who are smarter than I, and found ways around the law, or are just taking a chance that most consumers don’t have a copy of the law and wouldn’t have read it. Still, read it for yourself, and if you are acting on the above in a way which is going to prejudice you, rather consult a lawyer first.


Oops Vodacom, minor privacy violation occurred (updated, Vodacom response)

Posted on September 02, 2011

Tonight I picked up my Vodacom statement/invoices from the Post Office. A few weeks late, my delay not the post office. Inside were the statement and invoices for the 3 phones I have with Vodacom (all good) and the invoice and itemised billing for one Dear Doctor (name withheld). Oops.

So this (minor?) mistake gives me this (previously unknown to me) person’s name, address, phone number, and details of all the calls they have made in the last month. This most certainly constitutes a privacy breach as well as violation of the Protection of Personal Information Act (which is not yet law). It would be interesting to ask the good doctor how he/she feels about their information being disclosed to me.

This also gets me wondering, how often such “incidents” happen and what Vodacom (or any other services provider) does when these mistakes happen. If I tell them the details, will they at least be so kind as to let the good doctor know? Interesting question indeed.  If you have experienced similar incidents in the past, please share. I am curious as to how often this happens. In the 15 years of being a Vodacom customer this is the first time I have experienced this problem, so using some simple (and statistically unsound) extrapolation, 1 / (15*12) = 0.5555%.  I couldn’t find recent stats on how many customers, but found a figure of 1.4million in June 2004. Lets assume this has grown to 2 million by name (could be way more). Apply our disclosure percentage, then we have 11,111 (eleven thousand one hundred and eleven) subscribers information being accidentally disclosed every month. That’s rather scary.

Questions for Vodacom : 

1. What is the real number ?

2. What does Vodacom do when they mess up like this?

Care to provide us with some answers?


Dear Readers,

If this was your information that had been provided to me, what would you want me to do with it?

  1. Destroy the page and tell no-one?
  2. Report it to Vodacom and let them deal with it?
  3. Drop you a call/sms so you could take it up with them?
Please share your thoughts.
Update 3/9/2011 4pm: 
Vodacom picked up on the tweet of this article (@uyspj on the ball as usual) and tried to call me this afternoon. Unfortunately I missed the call and no return number was left. They then communicated via twitter, obtained an email address and we are trying to organise a time to talk on Monday.
The email indicated that this is an isolated incident and that no such incident has been reported before. Glad to see them taking this seriously.
Update 6/9/2011 8:30am: Vodacom responds

Vodacom was in regular contact with me yesterday, I provided the account number of the affected DR and they investigated the circumstances around the issue as well as contacted and apologised to the affected parties (according to them).

Per an email I received this morning, Vodacom explained the cause of the problem as follows :

” The miscellaneous error crept in due to the manual insertion of an Internet tariff brochure to some of our data customers which was a deviation from our normal automated billing run. Because some bills had to be picked out of the process and manually put into envelopes, this is where the problem occurred. Please be assured that this was an isolated incident and that this is certainly not a recurring problem.

We do thank you for alerting us to this particular incident and would like to apologise to you for it, as we will also do with Ms xxxxx (name removed by me).”

This explanation is believable given my original statement that as a Vodacom customer for around 15 years and this is the first incident that happened.  Good to see Vodacom responding so promptly, investigating, coming up with the answers and sharing with the affected parties.

Once again, @uspj is on the ball. I am really impressed by his commitment to customer service and keeping his finger on the pulse, and handling it personally.

Security and Ethics presentation at UKZN MBA Class 2011

Posted on August 24, 2011

I presented to the 2011 MBA class last week on Information Security and Ethics. A copy of the presentation is uploaded for those who are interested.

Drop me a mail or tweet if you have questions on anything or need more info.

Download here : security and ethics 2011 UKZN mba Aug 2011.pdf

Daniel Cuthbert presenting at ISACA KZN Chapter meeting at Deloitte on 15 July 2011

Posted on June 28, 2011

The next meeting of the ISACA KZN Chapter will be held on Friday 15th July at Deloitte’s offices on La Lucia Ridge.  Please spread the word and make every effort to attend.

KZN regional chapter meeting

  • Date : 15 July 2011
  • Venue : Deloitte’s offices on La Lucia Ridge
  • Speaker : Daniel Cuthbert
  • Topic : “Doing it for the Lulz : Why Lulzsec has shown us to be an ineffective industry.”
    • Daniel will be talking on current activities in information security, web hacking and how to protect yourselves.

Confirmation of attendance

As always, please confirm your attendance with Nadine on 011-803 0803 or admin@isaca.org.za a few days ahead of time.


Converting your ebooks to read on your kindle

Posted on June 18, 2011

Those who read my post from yesterday will know I was frustrated with the process for buying books on Kalahari.net and with the frustration of having to use their proprietary “Beta” software reader which would only work on my laptop but not on my Kindle. I wanted to read “Killing Kebble” on the kindle and couldn’t (Update 13 July, it’s now on Amazon).  Here is how to do it.

I am a long time fan of Calibre as an “iTunes for Kindle” application that will manage your library of books and covert them into the required format for most devices you can think of. It also handles downloading of web sites and making them into “mini magazines” for you to read any place any time. Really great software.

How does this help?

Well when buying books from non-Amazon stores they could be delivered in a number of different formats. epub is a common format for online publishers. Just be careful though. Not all epubs (or ebooks) are created equal and many that you buy will have embedded DRM that stops you using them when where and as you please.

A case in point, ebooks from Kalahari.net and Exclusive books online make use of an Adobe DRM solution.

There is however a solution. Read the rest of this entry »

Sony PlayStation Network hacked, the mea culpa letter and some tidbits

Posted on April 29, 2011

Update :

So now it turns out that Sony have been hacked again, this time it is the turn of Sony Online Entertainment (SOE), the publishing division responsible for maintaining Sony’s numerous online gaming titles, like EverQuest,  EverQuest II,  DC Universe Online and Free Realms. This affects 12,700 credit card numbers and 24.6 million accounts, including accounts in Austria, Germany, Netherlands and Spain.

Read more here : Source: http://www.lazygamer.net/#ixzz1LIYYzCK4

A copy of the press release can be see here : http://www.soe.com/securityupdate/

After the previous PR disaster Sony have been quicker to react this time around, their situation does however go from bad to worse.  The Sony PSN is supposed to be coming back online shortly, along with a few “freebies” to say sorry to all their users. If you are still willing to trust Sony with your info there may be some goodies in there that interest you (the specific ones available to SA haven’t been announced yet), and 30 days free use of PSN+.

Out of interest, there are over 100 000 SA users of PSN : http://www.maxconsole.net/content.php?45820-Revealed-PSN-account-numbers-broken-down-by-country

Original post :

After days of hearing about the Playstation network breach on Sky News and on various sites, and reading about it on various hacking sites, that elusive mea-culpa email finally arrived from Sony.

It says a lot without really saying it. We might have lost your credit card details? Watch your statement?

This really isn’t good enough. Currently being out of the country for a few days, having to cancel a credit card and get another issued would be a real real pain, apart from being rather expensive. There is no talk of compensation for loss in the mail, but then I guess if you have managed to “lose” the details of millions of customers that could be a rather expensive exercise.  My card replacement fee is in excess of R150.  7million x R150 =  over R1 billion just for card replacement fees, before any fraud claims. Expensive mistake? Sony do claim that the database had an encrypted table of credit card details, with no CVS numbers or expiry dates, so perhaps the risk is not all that high of widespread abuse.

It shall be interesting to watch what happens from here on in, and see how the class action suites already being filed play out. Sony has already lost a lot of support and goodwill with the “OtherOS” fiasco and the GeoHot saga. Neither of which are really satisfactorily resolved.

Out of interest, it seems that when Sony first found out about the hack, it was more in the context of people being able to access paid for content without paying. Seems they had insecure methods of requesting that content, and the changing of a simple flag meant you didn’t need to pay. Hackers had produced custom firmware for the PS3 which allowed these changes to be made. It seems that there wasn’t a whole lot of security in the client/server requests. Read some of these here on IRC logs. No certainty on the validity, but sounds plausible enough.

Mocking of Sony abounds on the net (Source: tweet by @mxatone (Thomas Garnier) : http://img.clubic.com/04217086-photo-hack-psn.jpg):

Would you like to download some credit card details?

For those of you who didn’t get the mail (lucky you), here it is :

This is an email from Sony Computer Entertainment Australia Pty Ltd. If you can’t see the images in this email, please click here (link removed)

Valued PlayStation Network/Qriocity Customer:

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

  • Temporarily turned off PlayStation Network and Qriocity services;
  • Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
  • Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

Read the rest of this entry »

New ISACA audit programs: Cloud computing, Crisis mgt, Infosec mgt, Active Directory, Oracle eBusiness #in

Posted on September 02, 2010

ISACA has recently made 5 new audit programs available, 4 in August and one in July, bringing the total number of available programs to 31.

These new audit programs cover :

  • Cloud Computing Management Audit/Assurance Program (Aug 2010)
  • Crisis Management Audit/Assurance Program (Aug 2010)
  • Information Security Management Audit/Assurance Program (Aug 2010)
  • Windows Active Directory Audit Program (20 Aug 2010)
  • Security, Audit and Control Features Oracle E-Business Suite, 3rd Edition – Audit programs and ICQs (July 2010)

They are all available for download on the ISACA knowledge centre website.

ISACA makes the material available at no cost as a benefit of ISACA membership. Anybody wanting to contribute material to share with fellow professionals can send it to ISACA via research@isaca.org.

%d bloggers like this: